RU2517411C1 - Method of managing connections in firewall - Google Patents

Abstract

FIELD: information technology.

SUBSTANCE: method involves receiving packets from an external network; creating a table of connections; determining the total number of currently established connections; determining the load level of the firewall by comparing the number of established connections with a threshold; determining new and established connections based on two-way exchange of packets between a client and a server; determining connection termination based on processing ICMP messages on errors or flags in the TCP header; dynamically determining current connection timeout values based on the type of the network protocol, the connection status and load level of the firewall; changing the timestamp of processing the last packet if any packet is transmitted within a given connection or within a group of connections; terminating a connection if the timestamp of processing the last packet differs from the current time more than the timeout of said connection.

EFFECT: high reliability of established connections and providing maximum throughput with a high load.

1 tbl

Description

FIELD OF THE INVENTION

The present invention relates to computer technology and, in particular, to methods for managing connections in the firewalls used in data networks.

State of the art

To ensure security in modern data transmission networks, specialized devices, firewalls (MEs) are often used to separate network sections from other sections and trunk lines. Most MEs implement connection tracking mechanisms that allow contextual processing of traffic and thereby increase the level of network security. Since storing information about established connections consumes ME resources, it is necessary to limit the number of simultaneously established connections and delete unused connections.

Such a task becomes especially significant when the load on the ME is increased.

Different methods are used to ensure stability and maximum throughput in network devices under increased loads and overloads.

So, for example, in network routers under increased load, methods can be used to control the size of the input queue (RED / WRED algorithm) and / or block packets when the input buffer is full (Leaky bucket algorithm) [1, 2]. Despite the fact that these mechanisms quite effectively cope with network congestion, they have a number of disadvantages due to the scope of their application. Since routers operate at the network level of the OSI model, they focus solely on the IP header, without analyzing the connection context. Thus, in case of congestion, the network router will drop packets related to already established connections, along with new requests, which will lead to the disconnection of established connections, which, in particular, is also the target of denial of service attacks (DoS / DDoS attacks )

There is also a method of controlling the state of connections [3] in a network device that performs the functions of ME and contains

- processor;

- memory module;

- a network interface module that provides receiving data packets from an external data network and transmitting packets to the internal network;

- providing modules.

The method includes the following steps:

- receive packets from an external network;

- form a connection table containing the following information:

- type of network protocol;

- connection status;

- time stamp of the processing of the last packet;

- determine the total number of established connections at a given time;

- analyze the data for each compound available in the table of compounds;

- delete the connection if the time stamp of the processing of the last packet in the connection exceeds a predetermined threshold value.

The direct implementation of the operations in the method is provided using software (software) installed in the ME.

The known method is adopted as a prototype for the proposed technical solution.

The main mechanism for cleaning the table is the removal of obsolete connections, which are determined by comparing the processing time stamp of the last packet in the connection with a predetermined threshold value - timeout (by the timeout we mean the waiting time for packets in the connection before closing it). If you fill out the connection table before adding a new connection, it searches for and removes obsolete connections using the LRU-algorithm (Least Recently Used). Such a mechanism for cleaning obsolete connections does not work best under increased ME loads, since each new connection will require cleaning the filled table and will require calling the LRU algorithm. Finding outdated connections is a resource-intensive operation, so accessing it for each new package can lead to exhaustion of the processor resource and reduce the processing speed of all traffic. On the other hand, additional delays in the processing of traffic can lead to an overflow of the input packet buffer, which will lead to the loss of unprocessed packets. Since lost packets will relate to both new connections and already established ones, this will result in disruption of traffic exchange within the established connections. The low efficiency and disruption of the established connections at high loads is the main disadvantage of this method.

In a known method for searching the connection table, it is also proposed to use hash values calculated based on data from the packet (source address, destination address, source port, destination port). In this case, for the source packet (from the client to the server) and for the response packet, it is assumed that the same hash value is generated by rearranging the source and destination addresses when generating the hash value for the response packet. The proposed method does not take into account the possibility of modifying the packet as a result of address translation (NAT), which narrows the scope of its application.

In addition, the known method does not take into account groups of logically connected connections. So, for example, when passing an ICMP error message, you must close the connection to which it belongs. And within some protocols, such as FTP, additional connections can be created for transmission, and it is necessary to control the lifetime for the entire group of connections, and not for individual connections. These limitations are also a disadvantage of the known method.

Disclosure of invention

The proposed method allows to solve the problem of cleaning the connection table in the ME, including at high loads.

The technical result is:

- ensuring stable and reliable processing of established network connections regardless of the level of ME load;

- ensuring maximum throughput while increasing the load ME.

An additional technical result is:

- increasing the resistance of the firewall to DoS / DDoS attacks;

- Ability to manage connections with address translation;

- the ability to manage a group of logically connected connections for applied network protocols.

For this, a method for managing connections in the firewall is proposed, which consists in the fact that

- receive packets from an external network;

- form a connection table containing the following information:

- information about packets included in the connection (source packet, response packet, ICMP errors);

- information about package conversions in case of address translation; about the type of network protocol;

- connection status (new, established, closed); time stamp of the processing of the last packet;

- information on connection groups in the case of application protocols (FTP, SIP);

- determine the total number of established connections at a given time;

- determine the load level of the firewall by comparing the number of established connections with a certain threshold value;

- determine new and established connections based on two-way packet exchange between the client and server;

- determine closed connections based on the processing of ICMP error messages or flags in the TCP header (only for the TCP protocol);

- dynamically determine the current timeout values for connections based on the following parameters:

- type of network protocol;

- connection status;

- firewall load level;

- change the time stamp of the processing of the last packet in the case of passing any packet within a given connection or within a group of connections;

- delete the connection if the processing time stamp of the last packet differs from the current time more than the timeout of this connection.

Thus, in contrast to the known method, in the proposed method, the connection timeouts dynamically change when the ME load changes. As the load increases, the current timeout values decrease, which increases the throughput of the ME.

In contrast to the known method, the table is cleaned of obsolete connections on a periodic basis, and not during the processing of each new package, therefore, the processor resource costs for removing obsolete connections will be constant and will not depend on the ME load.

Established connections take precedence over new connections, so if you fill out the connection table, requests for new connections will be blocked, and traffic processing within the framework of already established connections is not violated.

The mechanism for monitoring the state of compounds allows increasing the resistance of MEs to DoS / DDoS attacks. In particular, the use of the principles of “three-way handshake” for all protocols (similar to setting up connections in TCP) can significantly reduce the likelihood of a UDP-flood attack, since all connections within which two-way packet exchange was not made will be considered new and cleaned first.

The implementation of the invention

Consider an example of the implementation of the proposed method in the ME connecting an external network (for example, the Internet) and an internal corporate data network.

ME consists of the following elements:

- processor;

- memory module (operational and permanent);

- a network interface module that receives data packets from an external network and sends packets to and from the internal network.

ME works under the control of a general-purpose operating system (for example, Linux Ubuntu 9.10) and software (software) that implements the necessary ME functions.

When describing the algorithm, the term “client” will be applied to the host initiating the connection, and the term “server” to the host receiving the connection. The source package will mean the package from the client to the server, and the response package - from the server to the client.

Using software, the following are implemented:

- packet filtering subsystem;

- connection processing subsystem;

- subsystem for processing application protocols.

Before the ME starts, in the packet filtering subsystem, the user (or system administrator) can set network packet processing rules (filters) for a specific configuration of the internal network. Also, the administrator can specify the following values in the connection processing subsystem:

- the maximum allowable number of established connections (Max-Connection);

- maximum timeout value for new and closing connections (TimeoutNewOrClosed);

- The maximum timeout value for UDP connections (TimeoutUdp);

- maximum timeout value for TCP connections (TimeoutTcp);

- maximum timeout value for other connections (TimeoutlpOther);

- the frequency of cleaning outdated connections (TimeoutCleanup).

The functions of the packet filtering subsystem include:

- blocking the packet in accordance with the configured network filters;

- modification of the package in accordance with the configured translation rules;

- transfer of the packet to the connection processing subsystem (if the packet was skipped by the filter).

The functions of the connection processing subsystem include:

- formation and modification of the connection table;

- the formation and modification of one or more tables to search for packages belonging to connections;

- verification of conformity (belonging) of received packets to established connections;

- connection state management (creation, change of state, deletion);

- management of timeout values for connections.

The functions of the application protocol processing subsystem include:

- search in the package of requests for the installation of additional connections;

- registration of new compounds in the connection processing subsystem;

- Establishing relationships between child and parent connections within a group of connections.

The connection table contains a list of all established connections and related information:

- information about packets included in the connection (source packet, response packet, ICMP errors).

- type of network protocol;

- connection status;

- time stamp of the processing of the last packet;

- information about package conversions in case of address translation;

- information on connection groups in the case of application protocols (FTP, SIP).

Packet lookup tables are an indexed list of packages optimized to speed up searches. The list of packages can be implemented in the form of a binary search tree, a hash table, or in another way. At the same time, several lists can be used at once to search for packages, each of which processes individual types of packages, based on information specific to them. For example, to process ICMP error messages, you need to analyze not only the packet header, but also its contents.

Packets received by the network interface module are first checked for belonging to already established connections. If the package belongs to the established connection, then the connection processing subsystem performs all the necessary actions on the package, and this is where the processing ends.

If no suitable connection is found, the packet is sent for inspection to the packet filtering subsystem. The filtering subsystem checks the packet for compliance with the configured filters, and also performs its modification, in accordance with the configured address translation rules. If the packet turned out to be blocked by one of the filters, then this completes its processing.

If the filtering subsystem allowed the packet to be processed for further processing, a record about a new connection is created in the connection processing subsystem. When creating a new connection, information about all packets transmitted within the connection is determined. Information about packets belonging to the connection is stored in the lookup tables.

If during processing the packet was modified by translation rules, then this information is reflected in the connection information as follows. Before modification, the packet is saved as the original packet, and a response packet is formed on the basis of the changed packet (by rearranging the addresses and ports of the sender and receiver). In addition, information about the packet transformation is saved in the connection with the indication of those packet fields that were changed by the NAT rule (SourcelP, SourcePort, DestinationIP, DestinationPort). Based on the stored information within the connection, the following packet processing takes place:

- if a packet is received from the client to the server and the SourcelP / SourcePort flag is set in the packet conversion information, then the packet sets the IP address / port of the sender from the response packet as the IP address / port of the sender;

- if a packet is received from the server to the client and the SourcelP / SourcePort flag is set in the packet conversion information, then the packet IP address / port is set to the IP address / port of the sender from the source packet;

- if a packet is received from the client to the server and the DestinationlP / DestinationPort flag is set in the packet conversion information, then in the packet, the IP address / port of the sender from the response packet is set as the recipient's IP address / port;

- if a packet is received from the server to the client and the DestinationlP / DestinationPort flag is set in the packet conversion information, then in the packet, the IP address / port of the recipient from the source packet is set as the IP address / port of the sender.

For some application protocols, such as FTP and SIP, it is necessary to organize connections into groups for their joint management. Connection groups are created in the application protocol processing subsystem, which analyzes all transmitted traffic within the specified protocols and looks for requests for additional connections in the packet structure. When a request to establish an additional connection is detected, the application protocol processing subsystem registers a new connection in the connection processing subsystem and marks it as a child, while the connection within which the command was received is marked as parent.

When packets are processed as part of a connection, connection status information is monitored. To control the state of the connection, a set of flags (in a byte characterizing the state of the connection) is given in Table 1.

Table 1 Flag Binary representation Description Statenew 00000000b New connection Stateyn 00000001b 1st packet sent from client StateSynAck 00000010b 1st packet sent from server Stateack 00000100b 2nd packet sent from client StateEstablished 00000111b Connection established Statefinclient 00001000b Sent FIN by customer initiative StateFinAckClient 00010000b Customer Confirmed FIN Confirmation StateFinServer 00100000b Sent FIN server-initiated StateFinAckServer 01000000b Server-Initiated FIN Confirmation Stateclosed 01111000b Connection closed

The state of the connection changes depending on the current state of the connection, the direction of the packet and the TCP flags (only for the TCP protocol). Analysis of the current state of the connection is carried out using two types of operations: a comparison operator and verification of the set bits. The change in the state of the connection occurs by setting the corresponding bits.

When a new connection is created, its state is initialized with the value StateNew. After this, the two-way packet exchange is checked between the node initiating the connection (client) and the node receiving the connection (server). If the test succeeds, the connection status is StateEstablished.

The implementation of the two-way packet exchange check for any protocol is performed as follows:

- in the connection state, the StateSyn flag is set if the following conditions are true:

- The current state of the connection is StateNew;

- the processed packet is sent from the client to the server;

- in the case of TCP, the TCP flag SYN is set in the packet header;

- in the connection state, the StateSynAck flag is set if the following conditions are true:

- the current state of the connection is StateSyn;

- the processed packet is sent from the server to the client;

- in the case of the TCP protocol, the TCP flags SYN and ASK are set in the packet header;

- in the connection state, the StateAck flag is set if the following conditions are true:

- The current connection status is StateSynAck;

- the processed packet is sent from the client to the server;

- in the case of TCP, the TCP flag ASK is set in the packet header.

For TCP, a change in connection state is provided based on the TCP flags FIN and RST. The implementation of the processing of the completion of the TCP connection is as follows:

- in the connection state, the StateClosed flag is set if the RST flag is set in the header of the TCP packet;

- in the connection state, the StateFinClient flag is set if the following conditions are true:

- the FIN flag is set in the header of the TCP packet;

- the processed packet is sent from the client to the server;

- in the connection state, the StateFinServer flag is set if the following conditions are true:

- the FIN flag is set in the header of the TCP packet;

- the processed packet is sent from the server to the client;

- in the connection state, the StateFinAckClient flag is set if the following conditions are true:

- in the current state of connections, the StateFinClient flag is set;

- the ACK flag is set in the header of the TCP packet;

- the processed packet is sent from the server to the client;

- in the connection state, the StateFinAckServer flag is set if the following conditions are true:

- in the current state of connections, the StateFinServer flag is set;

- the ACK flag is set in the header of the TCP packet;

- the processed packet is sent from the client to the server.

If an ICMP error message (ICMP type is 3, 4, 11, or 12) is received within the connection for any protocol, then the StateClosed flag is set in the connection state.

When a packet passes through a connection, the current time is set as the connection's timestamp. For child connections that belong to a connection group, the timestamp of the parent connection is adjusted.

The connection processing subsystem periodically performs a procedure for cleaning outdated connections. When checking the relevance of a connection, only parent connections in the group are taken into account. If the difference between the current time and the timestamp of the connection exceeds the waiting time for this type of connection, then such a connection is deleted (if the parent connection is deleted, the entire group is deleted).

The connection timeout depends on its current state and protocol and is calculated each time the connection cleaning procedure is performed:

- if the StateEstablished flag is not set in the connection state or the StateClosed flag is set, then the value TimeoutNewOrClosed is taken as the connection timeout;

- if the previous condition is not met, then the connection timeout is set depending on the protocol (TimeoutTcp, TimeoutUdp, TimeoutlpOther).

Depending on the total number of connections currently established on the ME, the connection processing subsystem can adjust the set timeout values. Since connection timeouts are calculated dynamically based on the given constants, changing these constants affects the timeouts of all connections (both new and already established). For each type of timeouts (TimeoutNewOrClosed, TimeoutTcp, TimeoutUdp, TimeoutlpOther), in addition to its current value, the maximum value (which was set initially), as well as the minimum value and step of change, are remembered.

If the number of established connections exceeds a certain threshold value (UpperThreshold), the timeouts of all connections are reduced by the corresponding step of change, while the resulting value should not be less than the minimum. After the load decreases to the lower threshold value (LowerThreshold), the current timeout values increase by a step of change, and the result should not exceed the maximum timeout value for this type of connection. Thus, using the mechanism for dynamically changing timeouts, the ME can flexibly control the throughput depending on the current load.

The size of the connection table, threshold values, timeout values for different types of connections, and the cleaning period may vary depending on the characteristics of the equipment and the nature of the transmitted traffic.

The following ratios for threshold values may be recommended:

UpperThreshold = 0.8 * MaxConnection, LowerThreshold = 0.5 * MaxConnection.

In this case, the maximum size of the connection table (MaxConnection) is determined based on the amount of available ME memory and the amount of memory occupied by one connection (depends on the ME implementation).

When choosing values for timeouts, you should be guided by the general rule that the TCP connection timeout is several times higher than the UDP or IP connection timeout, which, in turn, is an order of magnitude greater than the timeout for new and closed connections. It is recommended that the connection cleaning period be set an order of magnitude shorter than the timeout of new and closed connections.

Based on experience, the following maximum timeout values (in seconds) can be recommended:

TimeoutTcp = 1800,

TimeoutUdp = TimeoutlpOther = 300,

TimeoutNewOrClosed = 5.

TimeoutCleanup = 0.5.

It is convenient to determine the step of the change and the minimum timeout value at the level of 20% of the maximum timeout value.

Let us examine how the use of the dynamic time-out mechanism and the monitoring of the state of connections can increase the resistance of MEs to DoS / DDoS attacks. Typically, DoS / DDoS attacks are characterized by a large number of connection requests sent from different IP addresses. Thus, the load on the ME sharply increases, while most of the connections are new (i.e., the StateEstablished flag is not set in them). Since the timeout value for new connections (TimeoutNewOrClosed) is much less than the timeouts for established connections, such connections will be cleared first of all, without creating problems for established connections.

Unlike the prototype, obsolete connections in the ME are cleaned on a periodic basis, and not during processing of the package, therefore, the processor resource costs for removing obsolete connections will be constant and will not depend on the ME load. If the maximum allowable number of connections is reached, the ME will be forced to block all new connection requests until the next cleaning cycle. But even in this case, an excess of the number of connections will only affect new connections and will not affect already established connections. As a result, the proposed method shows high resistance to denial of service attacks.

All the described procedures and algorithms can be implemented by a specialist in this field based on the fame of the functions performed. It should be noted that other options for implementing the proposed method are possible, which differ from the one described above and depend on personal preferences when programming individual actions and functions.

Information sources

1. Semenov Yu.A. Telecommunication technologies (v3.28, 08/20/2012), an electronic version on the Internet at http://book.itep.ru/

2. Stepanov S.N. Fundamentals of teletraffic of multiservice networks, M., Eco-Trends, 2010.

3. US Patent No. 7831822, with priority dated December 4, 2006.

Claims (1)

A method for managing connections in a firewall, which is that
receive packets from an external network;
form a connection table containing the following information:
Information about packets included in the connection (source packet, response packet, ICMP errors).
information about package conversions in case of address translation; type of network protocol;
connection status (new, established, closed);
time stamp of the processing of the last packet;
information about connection groups in case of application protocols (FTP, SIP);
determine the total number of established connections at a given time;
determine the load level of the firewall by comparing the number of established connections with a certain threshold value; define new and established connections based on two-way packet exchange between the client and server;
define closed connections based on the processing of ICMP error messages or flags in the TCP header (TCP protocol only);
dynamically determine the current timeout values for connections based on the following parameters:
type of network protocol;
connection status;
firewall load level;
change the time stamp of the processing of the last packet in the case of passing any packet within this connection or within a group of connections;
delete the connection if the processing time stamp of the last packet differs from the current time more than the lifetime determined for this connection.